If you haven't previously considered cybersecurity insurance, it may be time to do so. Insurance companies' cyber-insurance policies promise to help organizations mitigate losses from data breaches, business interruption, network damage, and other cyber-incidents. These policies have been available for several years, but they are changing—particularly in the risks that are covered.
Driven by huge growth in recent years, the cyber-insurance industry has matured, allowing insurers to assess the risk of potential customers and, in most cases, find a way to offer them coverage, even for customers with less-than-perfect security records, say some insurance experts.
Cyber insurance can be a cost-effective way to protect companies from “catastrophic cyber-events,” says Thomas Reagan, cyber practice leader at Marsh USA, a large insurance broker and cybersecurity strategic consulting firm. “I would encourage [potential] clients to dig in, to take a fresh look at cyber insurance if they haven't done it in the last couple of years.”
It certainly has been a good market for the providers. The cyber-insurance industry has experienced a huge growth spurt in recent years. Between 2015 and 2016, the value of premiums written surged 35 percent, according to reports by Fitch Ratings and A.M. Best. And PwC predicted annual premiums will grow from $5 billion this year to $7.5 billion by 2020.
Cyber insurance is “one of the most successful segments of the insurance market over the past 10 or 15 years,” Reagan says. “The industry has gotten quite comfortable with understanding the risks companies face and providing really helpful solutions.”
Cyber insurance available for most companies
Insurers are “interested in providing insurance to companies of all shapes and sizes,” says Reagan. “The process of underwriting cyber insurance has become pretty accessible over the past couple of years. Most companies find the process of securing cyber insurance to be far quicker and far easier than they might fear or anticipate.”
That doesn't mean insurers write premiums willy-nilly. Responsible insurers conduct risk audits as part of the process of underwriting an insurance policy for a new client, but the process is less involved than you might think.
In other words, if a potential client wants to buy cyber insurance, most insurers will find a way to provide it. If a company has a high risk of a catastrophic breach, its coverage might cost more than the same package for the company down the street, however.
Why cyber-insurance claims may be rejected
No matter the specialty, insurance companies want to minimize their own risk, and they look for their clients to behave appropriately. If you don't lock your back door, your homeowner's insurance provider may look at you askance if you put in a claim for a break-in, for instance. Similarly, insurers may reject claims from covered cybersecurity clients because of poor security practices. Insurers can reject claims for a company's failure to maintain its cybersecurity systems or for failing to configure them properly, cyber-insurance experts say.
Some policies don't cover social engineering attacks in which a company employee gives data to the attacker, and some insurers don't cover ransomware payments or related damage from a ransomware attack.
While cyber insurance pays out a higher percentage of claims than most other types of insurance, insurers are “very much interested in seeing your security measures maintained and updated,” says Serg Panfilov, CEO of CyberDot, a startup insurance broker focused on small businesses.
Insurance customers should make sure they understand their coverage and exclusions, Panfilov recommends. They should be careful to fill out the insurance application accurately and follow minimal security requirements, such as regular patching and user management. Insurance companies also resist paying for criminal, fraudulent, and dishonest acts by the insured company, he says.
What cyber-insurance companies look for
As part of the process of underwriting a policy, insurance providers typically conduct a basic audit of the potential customer's cybersecurity practices. CyberDot looks for the “minimal security controls” a potential customer has in place, Panfilov says. Companies can best prepare for buying a cyber-insurance policy by conducting their own audits before the insurance company does.
Panfilov says a good cyber-insurance risk assessment considers whether a potential customer:
- Has deployed perimeter firewalls and antivirus software
- Uses strong and complex passwords
- Installs software patches regularly
- Has a user management process in place
- Uses end-of-life hardware and software
- Has physical security controls
- Encrypts mobile devices that interact with sensitive or regulated data
In addition to Panfilov's list, companies should have a written cybersecurity policy in place, provide basic security training to employees, and consistently review and respond to security monitoring alerts, says Andy Jordan, senior security architect at Mosaic451, a managed cybersecurity service provider. “All of these are very basic steps, and any company in today's world not following those practices will likely have far bigger problems to worry about than being denied insurance,” he says.
At the most basic level, continual monitoring of network traffic is an “absolute requirement,” Jordan adds. Security teams need to detect and respond to breaches “before serious damage is done.”
Prospective cyber-insurance clients should also do technical control assessments to ensure their security controls are up to date. “We see that many companies will look at the regulatory compliance requirements they face and, upon meeting the bare minimum for those requirements, consider their cybersecurity job done,” Jordan says. “In today's environment of constantly evolving threats, this can be a grave mistake.”
By proactively improving their cybersecurity programs instead of trying to meet a standard, companies can both strengthen their defenses and become good candidates for cyber insurance, Jordan says.
Cyber-insurance red flags
Insurance companies notice major cybersecurity weaknesses, Jordan points out. “One of the biggest red flags for cybersecurity insurance would have to be a repeated pattern identified vulnerabilities or weaknesses that go unremediated,” he says. “There are enough unknown threats facing companies today. Those that fail to address the threats they know about place themselves—and by extension any company willing to underwrite their business—at extraordinary risk.”
Still, many companies seem to struggle with ways to assess their cybersecurity readiness, and insurance companies aren't always able to accurately measure whether a client is meeting minimum security standards, says James Goepel, CEO and general counsel of cybersecurity consulting firm Fathom Cyber.
While basic security practices are not a big mystery, insurers and their clients still need to come up with a “set of measurements that can be used to validate that an insured is meeting a minimum set of requirements for a particular tier,” Goepel says.
A good set of standards would be based around common commercial products, such as IT asset management tools and antivirus tools, and would incorporate information such as scan results and settings from each of those products. This kind of tool would help company executives be sure they're doing the “right thing” and would help communicate the information to insurance companies, regulators, and shareholders, Goepel says.
So far, cyber-insurance companies often respond to client security problems “after the fact,” Goepel adds. “As the insurance market continues to mature, I think we will see more independent, upfront reporting requirements—much like the inspection that was needed when I insured my boat—along with periodic independent updates.”
Like Marsh's Reagan, Goepel doesn't see a lot of examples of insurance companies refusing to cover clients. “Except for really egregious issues, like a failure to implement a patch management system or antivirus tools, I doubt that we will see insurance companies refuse to write policies,” he says.
Still, while cyber insurance can be a valuable tool, it isn't magic. Poor security practices could not only expose companies to monetary damage and corporate reputations, but also prompt the insurance company to reject a claim.
“The biggest trend I am seeing in cyber insurance is that insurance companies are finding reasons to not cover a claim,” Goepel says. “Either the policy, as written, didn't cover the incident or the company failed to meet some of the requirements under the policy. This just underscores the need for more effective governance.”
Cyber insurance: Lessons for leaders
- The cyber-insurance market is maturing, and insurers are finding ways to assess potential clients' risk.
- In most cases, insurers will find a way to offer coverage to potential clients.
- Still, clients should deploy strong cybersecurity plans and do internal security audits. Doing so is sensible on its own merits, but also a way to get the best rates and avoid having claims rejected.